All You Need to Know About Public Trust for TLS/SSL Certificates
Learn about the rules of publicly trusted TLS/SSL certificates across their lifecycle. From issuance to installation to renewal and revocation.
A message from our CEO, Todd Wilkinson
Read a message from our CEO, Todd Wilkinson, on our commitment to the public TLS certificate market, and view our TLS Certificate Information Center for more resources.
Public and Private Trust in the World of PKI
Publicly trusted TLS/SSL certificates are used for public-facing website projects (e.g., websites, landing pages, microsites, etc.) and are needed in order to avoid browser warnings.
Trust is key to the usefulness of public TLS/SSL certificates. In the public trust model, the trust in each browser – Safari, Chrome, Microsoft, Mozilla, and Firefox, and in most cases, operating system vendors – Windows OS X, Apple iOS, and Android – is anchored by the root certificates provided by each authorized certification authority (CA).
With private trust, each individual or organization makes their own trust decisions to augment those made on their behalf by the browsers. They do this by adding specific private roots into the trust store used by their browser. This will cause the browser to trust certificates that are chained to the private root. CAs can establish and manage their own certificate policies for private certificates, providing more flexibility for internal IT environments.
What are the use cases for public trust TLS/SSL certificates?
Website Security: Encrypting data transmitted between a user’s browser and a web server, protecting sensitive information like passwords and credit card numbers.
E-commerce: Securing online transactions and user data, ensuring trust in payment processes.
APIs: Securing data exchanges between services and applications, ensuring secure communication in web services.
Authentication: Verifying the identity of users and devices accessing services, enhancing overall security. These certificates help establish trust and secure communications across various digital platforms.
What are the use cases for private trust TLS/SSL certificates?
- Machine Identity: Providing security and trust of machines by establishing trust with high-assurance, certificate-based identities.
- IoT Device Communication: Securing communications between internal IoT devices or applications that do not require public exposure.
- Internal Websites and Applications: Private certificates can secure communications within internal websites and applications. For example, a company might leverage private certificates to enable HTTPS on an internal employee portal, like HR or finance systems, where sensitive data is exchanged.
- VPNs: Private certificates can be used for client and server authentication in a VPN scenario. This ensures that only trusted devices with the appropriate private certificate can connect to the corporate VPN.
- Inter-Organizational Communication: Partner companies can manually configure their systems to accept each other’s private certificates.
- Development and Testing: Allowing developers to create and test applications in a secure environment without the need for public certificates.
- API Security: Protecting internal APIs, ensuring that only authorized services communicate securely without external validation.
- Custom Solutions: Supporting specialized applications that require tailored security solutions, like proprietary software or platforms. Private trust certificates enable organizations to manage security internally without the need for external certificate authorities, while still ensuring data protection and integrity.
Should I use public trust certificates for a use case that's considered private trust?
While public trust certificates can be used for private use cases, it might require more operational overhead, as certificates would need to be replaced more frequently due to shortening certificate lifespans. This approach may be time- and cost-prohibitive without lifecycle automation capabilities.
Public and Private Trust Resources
Certification Authority Browser Forum (CA/B Forum)
The CA/Browser Forum is a voluntary organization of certificate issuers and suppliers of internet browser software and other applications that use certificates (certificate consumers). As a founding member of the Forum, Entrust actively contributes to developing industry standards known as Baseline Requirements, for the issuance and management of publicly trusted certificates.
The CA/Browser Forum is responsible for implementing new rules and policies that certification authorities (CAs) like Entrust must adhere to, as well as establishing regulations for CAs and their audits by third-party programs such as WebTrust and ETSI. In addition to the Forum, rules come from browser root program policies from browsers such as Mozilla, Microsoft, Apple, and Google. CAs must undergo annual audits to ensure they comply with standards, and the audit reports are shared with browsers. Any issues found must be addressed, potentially leading to certificate revocation. The Forum, as a standards-issuing body, does not enforce requirements and lacks the authority to make exceptions.
The requirements of the CA/Browser Forum evolve in response to the changing threat landscape and new technologies, and the organization enforces these requirements, with certificate consumers such as web browser vendors and email clients playing a crucial role. While not all changes originate from the Forum, they eventually become adopted, as CAs such as Entrust must adhere to them to retain support in relying party software.
The CA/Browser Forum Resources
Validity Periods
The CA/Browser Forum establishes TLS/SSL certificate validity periods through a member voting process outlined in its governing bylaws. Since Sept. 1, 2020, maximum certificate validity is 397 days, or approximately 13 months. The upcoming introduction of a 90-day or even 45-day certificate lifespan, as per Apple’s recent proposal, will be a significant shift for many organizations because it makes visibility, control, and automation more critical. Read our blog post and watch our webinar to learn about recommended next steps and how to plan your strategy before shorter certificate lifespans become the norm, with automation playing a crucial role in supporting this transition.
Validity Periods Resources
Revoking Certificates
The Baseline Requirements of the CA/Browser Forum establish a timeframe for revoking mis-issued certificates, which can be either 24 hours or five days, depending on the specific situation. The CA is obligated to conduct a thorough investigation of the reported issue and provide a preliminary report to both the subscriber and the reporting entity. After the investigation, the CA will work with the subscriber and any relevant parties to determine whether the certificate should be revoked and, if necessary, establish a revocation date. The CA is typically able to address the issue with minimal impact on organizations. A subscriber should be prepared to respond quickly to a CA’s request to revoke the certificate in a short timeframe to avoid any service disruptions.
Revoking Certificates Resources
Certificate Lifecycle Management (CLM)
Take the guesswork out of certificate lifecycle management
Discover, manage, and automate all certificates throughout your organization using an end-to-end, scalable certificate lifecycle automation solution. Take advantage of the simplicity and flexibility of our management portal that allows you to:
- Find unknown TLS/SSL certificates associated to your organization with our Discovery+ suite of tools and keep track of them from one centralized location
- Manage public and private certificates, regardless of issuing CA, from a single dashboard
- Streamline domain verification to the click of a button, after one-time setup with self-service that automates domain verification for you
- Automate certificate installation, deployment, and renewals from a simple, cloud-based platform
- Get insight with comprehensive real-time reporting and alerts to help maintain regulatory compliance and protect against unexpected certificate expiry
- Benefit from integration with third-party vendors, including ServiceNow, Venafi, Ansible, and Microsoft Azure
CLM Resources
Certificate Management Made Easy
Find the tools you need centralized in one place to safely identify, issue, manage, delegate, and automate your certificates’ lifecycle.
Centralized TLS/SSL Certificate Lifecycle Management
Consolidate processes and TLS providers without interruption using certificate management and monitoring services.
What Is TLS/SSL Certificate Management and How to Implement It?
Learn the basics of effective TLS certificate lifecycle management.
Entrust Certificate Services
The Entrust Certificate Services platform greatly reduces security issues associated with certificate lifecycle management for security beyond the certificate.
Entrust Certificate Services
Get a web-based certificate lifecycle management platform for all your digital certificates.
Entrust Certificate Services Discovery+
Find, inventory, and manage certificates across diverse systems to prevent outages and data breaches.
Digital Certificates Industry Updates and Best Practices
Learn how current global trends are shaping TLS/SSL certificate usage.
SSL Market Directions – Learn from the experts
Gain insights into the next big trends in the public world and hear TLS/SSL market predictions.
Certificate Automation
The Entrust solution provides customers with a variety of options for automating the certificate issuance and management processes:
- Automate your certificate issuance using the Entrust proven REST API, our industry standard ACMEv2 service, or by leveraging CLM platforms such as the Entrust Certificate Services platform or Certificate Hub.
- Simplify the process of continuously proving control of your organization’s domains by automating it separately using our REST API or our industry-first ACMEv2 preauthorization support. Customers also have the option to verify domains when issuing certificates on the fly via ACMEv2.
- Automate renewals and handle early emergency certificate revocations automatically with ACME Renewal Information (ARI).
- Know when automated processes may have stumbled, with monitoring, alerts, and notifications so you can be confident your certificates and domains are kept up to date, avoiding outages and operations emergencies.
Listen to our TLS/SSL Insights and Discover Best Practices for Digital Security
Certificate Automation Resources
Best Practices for Shorter TLS/SSL Certificate Validity – Road to 90 Days
Learn about the implication of the Google 90 days TLS validity proposal on your business.
The Importance of Automation and Innovation in CLM
It’s critical for organizations to leverage automation and innovative solutions for streamlined certificate management processes.
ServiceNow integration
Manage, issue, and renew public and private trust certificates from your ServiceNow instance.
Venafi Integration
Learn how the combined Entrust and Venafi products complement each other for a solution that is unmatched.
Entrust Connect for Microsoft Azure
Expand your enterprise TLS certificate coverage by integrating Entrust Connect with Microsoft Azure Key Vault.
Entrust firmly positioned as a market leader in Frost Radar analytics
Frost & Sullivan's latest Global Holistic TLS Certificate Market report provides a comprehensive overview of the market and its CAs. Their Frost Radar™ benchmarking system evaluates CAs using a growth index and an innovation index, both of which take many factors into account. Entrust was ranked as one of the fastest-growing CAs globally and a leader in innovation.